fix(security): close auth & site-scoping gaps across 8 findings

Resolves the auth-theme batch from the 2026-05-28 baseline review (8 findings
across Security/CentralUI/ManagementService/CLI). The most consequential gaps:
NotificationReport + SiteCallsReport now route through SiteScopeService so a
site-scoped Deployment user cannot see or act on other sites' rows (CUI-028);
QueryAuditLogCommand is no longer "any authenticated user" — gated Admin-only
to match /api/audit/query's strictness (MS-018); RoleMapper preserves the
broader grant when a user is in both an unscoped and scoped Deployment LDAP
group, instead of silently narrowing to the scoped set (Sec-016); and the
dead SiteScopeRequirement/Handler are deleted so SiteScopeService is
unambiguously the sole site-scoping mechanism (Sec-017). Pending findings:
172 → 164.

src/ScadaLink.CLI/Commands/AuditQueryHelpers.cs

@@ -189,7 +189,9 @@ public static class AuditQueryHelpers
             {
                 OutputFormatter.WriteError(
                     response.Error ?? "Audit query failed.", response.ErrorCode ?? "ERROR");
-                return 1;
+                // CLI-018: surface the documented "authorization failure → exit 2"
+                // contract for the audit REST surface too, not just /management.
+                return CommandHelpers.IsAuthorizationFailure(response) ? 2 : 1;
             }
 
             using var doc = JsonDocument.Parse(response.JsonData);